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Abstract 

It is shown that antidomain semirings are more expressive than test semirings and that Kleene algebras 
with domain are more expressive than Kleene algebras with tests. It is also shown that Kleene algebras 
with domain are expressive for propositional Hoare logic whereas Kleene algebras with tests are not. 


1 Introduction 

Kleene algebras with tests (KAT) [4] yield arguably the simplest and most elegant model of the control flow 
in simple while-programs. They provide an abstract algebraic view on the standard relational semantics 
of imperative programs, have been applied to various program analysis tasks and form the backbone of 
program construction and verification tools. In particular, the inference rules of propositional Hoare logic 
(PHL)- Hoare logic without assignment rule—can be derived in this setting [5], Kleene algebras with domain 
(kad) m are a similar formalism that provides an algebraic approach to propositional dynamic logic and 
predicate transformer semantics. The inference rules of PHL are derivable in KAD as well and it is known 
that every KAD is a KAT [J. 

From a complexity point of view, the equational theory of KAT is known to be PSPACE complete [8], 
whereas that of KAD is decidable in EXPTIME [7]. It seems also plausible that KAD is more expressive 
than KAT; after all, image and preimage as well as modal box and diamond operators can be defined in the 
former algebra. 

This article makes this gap in expressive power precise, showing that KAD is strictly more expressive than 
KAT with a simple, natural and interesting example. Firstly it is shown that the inverse of the sequential 
composition rule of PHL, when expressed as a formula in the language of KAT, is derivable from the axioms 
of KAD. Secondly, a model of KAT is presented in which this formula does not hold. In addition it is shown 
that KAT is not expressive for PHL, whereas this is trivially the case for KAD. 

Inverting the inference rules of Hoare logic is interesting for verification condition generation in the 
context of program correctness, where intermediate assertions such as weakest liberal preconditions need to 
be computed. It is also related to the question of expressivity of Hoare logic in relative completeness proofs. 

2 KAD and KAT 

A semiring is a structure ( S , +, -, 0,1) such that ( S , +, 0) is a commutative monoid, ( S , •, 1) is a monoid; and 
the two monoids interact via the distributivity laws x ■ (y + z) = x ■ y + x ■ z and (x + y) ■ z = x ■ z + y ■ z 
and the annihilation laws 0 • x = 0 and x ■ 0 = 0. 

A dioid is an additively idempotent semiring, that is, x + x = x holds for all x £ S. In this case, (5 1 , +) 
forms a semilattice with order relation defined as x<y<=>x + y = y. Multiplication is isotone with respect 
to the order, x < y implies both z ■ x < z ■ y and x ■ z < y ■ z, and 0 < x holds for all x £ S. 

A Kleene algebra is a dioid expanded by a star operation that satisfies the unfold and induction axioms 

l + x ■ x* = x*, 1 + x* ■ x = x *, z + x- y<y=>x*-z<y, z + y- x<y=>z-x*<y. 
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An antidomain semiring [3] is a semiring S endowed with an operation a : S —> S that satisfies 

a(x) ■ x = 0, a(x ■ y) + a(x ■ a(a(y))) = a(x ■ a(a(y )), a(x ) + a(a(x)) = 1. 

These axioms imply that every antidonrain semiring is a dioid. A domain operation can be defined on S as 
d = a o a. It is a retraction, that is, d o d = d, and it follows that x £ d(S) 4=> d(x) = x, where d(S) denotes 
the image of the set S under d. This fact can be used to show that ( d(S ), +, a, 0,1) forms a boolean algebra 
in which multiplication coincides with meet and the antidomain operator a yields test complementation. In 
addition we need the following fact about antidonrain semirings. 

Lemma 1 ([3]). In every antidomain semiring , x ■ y = 0 •o- x ■ d{y) = 0. 

A Kleene algebra with domain |3] is both a Kleene algebra and an antidomain semiring. 

A test semiring is a dioid S in which a boolean algebra B is embedded by a map i : B —> S such that 

t(0)=0, t(l) = 1, i{x U y) = i(x) + i(y), i(x n y) = i(x) ■ i(y). 

A Kleene algebra with tests [3] is both a Kleene algebra and a test semiring. In the tradition of Kleene 
algebras with tests the embedding is left implicit. I write p,q,r, ... for boolean elements, which are called 
tests , and x, y, z for arbitrary semiring elements. I write AS for the class and axiom system of domain 
semirings, TS for that of test semirings, KAD for that of Kleene algebras with domain and KAT for that of 
Kleene algebras with tests. 

Lemma 2 ([3]). KAD C KAT. 

Proof. If K £ KAD then d(K) is a boolean algebra, hence a test algebra. The embedding is provided by the 
identity function on d{K) as a subset of K. Thus K £ KAT. □ 

It follows that AS C TS. Thus, for any K £ KAD, all elements in d(K ) may serve as tests in the associated 
(. K,d(K )) £ KAT. 

The notions of domain, antidomain and tests can be motivated from the model of binary relations. 
Proposition 1 ([S] S3)- Let 2 AxA be the set of binary relations over the set A. Suppose that 

R ■ S = {(a, b) | 3c. (a, c) £ R A (c, b) £ S}, id = {(a, a) | a £ A }, 

a(R) = {(a, a) | Mb. (a, b) (jL R}, R* = (J R\ 

ie N 

where R° — id and R l+1 = R - R l . Then 

1. (2 AxA , {R\RC id }, U, •, 0, id,* ) £ KAT. 

2. (2 AxA ,U,-,<b,id,a,*} £ KAD. 

The operation • on relations is the standard relational product; id is the identity relation on S. The 
operation a is the domain complement on relations; a(R) represents those states in S that are not related 
by R to any other state. 

3 Expressive Power of KAD and Invertibility in PHL 

To show that domain semirings are strictly more expressive than test semirings and that Kleene algebras with 
domain are strictly more expressive than Kleene algebras with tests I display a sentence tp in the language 

of KAT such that KAT \f ip and KAD b p. To prove that KAT 1/ p I display a ( K , B ) £ KAT such that 

(K,B)£p. 
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The sentence p chosen for this purpose is related to the relative completeness of Hoare logic. It is well 
known that the validity of a Hoare triple can be encoded in the language of KAT [5], and hence KAD, as 

{p}x{q} O p ■ x ■ q = 0, 

where tests p and q serve as assertions and q represents the boolean complement of test q. Moreover the 
inference rules of PHL are derivable in KAT [5]. In particular the rule {p}x{i'} A {r}y{q} =>■ {p}x ■ y{q} for 
sequential composition can be derived in TS and AS. Invertibility of this rule means finding for any Hoare 
triple {p}x ■ y{q} an assertion r such that {p}x{r} and {r}y{q}. Hence consider the following sentence in 
the language of KAT: 

ip = (Vx,y £ K,p £ B,q £ B. {p}x ■ y{q} => (3r € B. {p}x{r} A {r}y{q})). 

Lemma 3. KAT I/ p. 

Proof. Consider the KAT ({a}, {0,1},+, •, 0,1,*) with addition defined by 0 < a < 1, multiplication by 
a-a = 0 and a* = 1 (all other operations on elements being fixed). Note that a is not a test because a-a ^ a. 
In this algebra, l-a-a-0 = l- 0T = 0. However, r can neither be 0 or 1. In the first case, 1 ■ a ■ 0 = 1 • a• 1 = 1; 
in the second one, l-a-0=l-a-l = a. □ 

Lemma 4. AS F <p. 

Proof. Lets' £ AS and suppose p-x-y-q = 0, with p, q £ d(S). We need an expression r such that p ■ x ■ r = 0 
and r-y-q = 0. So let r = a(y ■ q). The assumption and Lemma[T|then imply that p ■ x • r = p ■ x ■ d(y -q) =0. 
Moreover, r ■ y -q = a(y -q)-y-q = 0 follows from the first antidomain axiom. □ 

These two lemmas can be summarised as follows. 

Theorem 1. There exists a sentence in the language of KAT which is derivable from the AS axioms, but 
not from the KAT axioms. 

Thus antidomain semirings are strictly more expressive than test semirings, and Kleene algebras with 
domain are strictly more expressive than Kleene algebras with tests. 


4 Expressive Power of KAD and Expressivity of PHL 

The question of invertibility of the rules of Hoare logic relates to its expressivity, requiring that for each 
command x and postcondition q the weakest liberal precondition be definable. In any K £ KAD, the weakest 
liberal precondition exists for any element x £ K and test p £ d(K) by definition. 

Formally, for all x,y £ K one can define a modal box operator 

[x\y = a{x ■ a{y)) 

and show that p < [x\q p ■ x ■ q = 0. So {p}x{p} p < \x]q yields an alternative definition of the validity 
of Hoare triples, in which A p. [x\p : d(K) —» d(K) is a predicate transformer (7j. 

It follows that {[x]g}x’{q}— }x]p is a precondition for x and q —and {p}x{q} => p < [x\q — [x]p is weaker 
than any other precondition of x and q. Hence \x\q models indeed the weakest liberal precondition of x and 
q. Since the standard relational semantics of while programs withouth the assignment rules can be captured 
in KAT [4] (and KAD) by defining if p then x else y = p ■ x + p ■ y and while p do x = (p ■ x)* ■ p, the 
following fact is obvious. 

Theorem 2. KAD is expressive for PHL. 

The proof of Lemma [T] can now be rewritten in the light of this discussion. First of all, r = [y]q models 
precisely the weakest liberal precondition of y and q. The next Lemma then arises as an instance of <p in 
combination with the sequential composition rule of Hoare logic. 
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Lemma 5. AS F {p}x ■ y{q} <=> {p}x{[y]q}. 

The second, implicit conjunct is of course {[x]g}x{q}. It is valid and has therefore been deleted. 

In KAT the situation is different. 

Theorem 3. KAT is not expressive for PHL. 

Proof. Let A be an infinite set and S3 = {B C A \ B is finite} U {B C A \ B is cofinite}. It has been shown 
that (2 a , SB, U, n, 0, S,* ) € KAT in which B* = A for all B C A [Tj. The test algebra SB is not complete 
because suprema of infinitely many finite sets need not be in SB. 

Consider the set C G 2 A — SB and suppose that a(C fl a(0)) = a(C C A) = a(C), the weakest liberal 
precondition of C and 0, exists. Thus a{C) C\C = 0 by definition. In addition, C has of course a complement 
C £ A — SB as well. It follows that a(C) C C and hence C — a(C) ^ 0. 

So let x £ C — a(C) and consider the set a(C) U {a;}. By construction it is an element of SB that contains 
a(C) and still satisfies ( a(C ) U {aa}) fl C = 0. This contradicts the maximality assumption on a{C). 

Hence there is a KAT in which for some element x and test p the weakest liberal precondition [x\p of x 
and p does not exist and KAT is not expressive for PHL. □ 

5 Concluding Remarks 

The left distributivity law x ■ (y + z) = x ■ z + y ■ z is not needed in the proof of Lemma |T] (and Lemma [1]). 
Formula p can be derived already from the axioms of antidomain near-semirings [2] and Kleene algebras 
with domain based on near-semirings are already more expressive than KAT. 

The result of Lemma|T]can be dualised and extended, so that other solutions for r can be found. A notion 
of opposition duality can be defined on a semiring by swapping the order of multiplication. Obviously, the 
opposite of every Kleene algebra is again a Kleene algebra. The domain operation on a semiring translates 
to a range operation on the opposite semiring, and vice versa 0 . Thus an antirange and a range operation 
on a semiring can be axiomatised by x ■ ar{x) = 0, ar{x ■ y) + ar(r(x) ■ y) = ar(r(x)-y) and ar{x) + r(x) = 1. 
It is then easy to check that r = r(p ■ x) provides a solution to a dual variant of Lemma [T] The proof uses 
the fact that x ■ y = 0 is equivalent to r(x) ■ y = 0 in antirange semirings, which is obtained from Lemma [1] 
by opposition duality. 

One can also consider Kleene algebras with antidomain and antirange operations. It is then appropriate 
to impose d(ar(x)) = ar{x) and r(a(x)) = a(x ) to enforce that d(S ) and r(S) coincide [3j. In this context, 
also r = r(p ■ x) ■ a(y -q) provides a third solution to a generalised variant of Lemma 0] 

A final remark concerns the invertibility of the remaining inference rules of propositional Hoare logic. 
Invertibility of the consequence rule(s) is trivial. The equivalence 

{p • t}x{q} A {p ■ t}y{q} <*=> {p}if p then x else y{q} 

is derivable in KAT: that {p}if p then x else y{q} implies {p ■ t}x{q }, for instance, is verified by 

0 = t ■ 0 = t ■ p ■ (t ■ x + t ■ y) ■ q = (p ■ t ■ t ■ x ■ q + p ■ t ■ t ■ y ■ q = p ■ t ■ x ■ q + 0 = {p ■ t}x{q}. 

For the while rule {p ■ t}x{p} => {p }while t do x{p ■ t}, the stronger consequent {p}(t ■ x)*{p} —the while 
loop satisfies the invariant p —is derivable from the antecedent, and invertibility follows from 

p ■ t ■ x -p < p ■ {t ■ x)* ■ p = 0. 
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